Cisco Cisco Firepower Management Center 4000
18-16
FireSIGHT System User Guide
Chapter 18 Working with Intrusion Events
Using Drill-Down and Table View Pages
•
the table view of intrusion events
•
the packet view
Each of these pages is described in
The drill-down views and table view of events share some common features that you can use to narrow
a list of events and then concentrate your analysis on a group of related events. The following table
describes these features.
a list of events and then concentrate your analysis on a group of related events. The following table
describes these features.
Table 18-2
Intrusion Event Common Features
To...
You can...
learn more about the columns that
appear
appear
find more information in
.
view a host’s profile
click the host profile icon (
) that appears next to the host IP address.
view geolocation details
click the flag icon that appears in the Source Country or Destination Country columns.
modify the time and date range for
displayed events
displayed events
find more information in
Note that events generated outside the appliance's configured time window (whether
global or event-specific) may appear in an event view if you constrain the event view
by time. This may occur even if you configured a sliding time window for the
appliance.
global or event-specific) may appear in an event view if you constrain the event view
by time. This may occur even if you configured a sliding time window for the
appliance.
sort and constrain events on the
current workflow page
current workflow page
find more information in:
•
•
the
table
•
the
navigate within the current workflow
page
page
find more information in
Tip
To avoid displaying the same intrusion events on different workflow pages, the
time range pauses when you click a link at the bottom of the page to display
another page of events, and resumes when you click to take any other action
on the subsequent page. For more information, see
time range pauses when you click a link at the bottom of the page to display
another page of events, and resumes when you click to take any other action
on the subsequent page. For more information, see
.
navigate between pages in the current
workflow, keeping the current
constraints
workflow, keeping the current
constraints
click the appropriate page link at the top left of the workflow page. For more
information, see
information, see
add events to the clipboard so you
can transfer them to an incident at a
later time
can transfer them to an incident at a
later time
use one of the following methods:
•
To copy several intrusion events on a workflow page to the clipboard, select the
check boxes next to events you want to copy, then click
check boxes next to events you want to copy, then click
Copy
.
•
To copy all the intrusion events in the current constrained view to the clipboard,
click
click
Copy All
.
The clipboard stores up to 25,000 events per user. For more information, see
delete events from the event database use one of the following methods:
•
To delete selected intrusion events, select the check boxes next to events you want
to delete, then click
to delete, then click
Delete
.
•
To delete all the intrusion events in the current constrained view, click
Delete All
,
then confirm you want to delete all the events.